04 July 2018
The National Fraud Intelligence Bureau has identified an increasing number of reports submitted to Action Fraud from the public, concerning courier fraud.
Fraudsters are contacting victims by telephone and purporting to be either police officers or bank officials. To substantiate their claim, they may use some easily obtainable basic information.
We have received some advice and guidance from Lloyds Banking Group which is summarised below:
Lloyds Banking Group, Commercial Banking Fraud team has identified a live Vishing Fraud campaign (telephone impersonation scam) targeting schools in England in the last two months.
Criminals are contacting schools by telephone impersonating trusted organisations including Bank Fraud departments, with the intention of tricking staff into releasing 2-factor authentication codes (e.g. card/reader codes) or getting staff to move money into new accounts on the pretence that they have been set up to protect funds in existing accounts which are said to have been compromised.
Spoofing technology is being used in the attack presenting the genuine telephone number of the organisation being impersonated on the caller display of the recipient, intended to persuade the target victim that the call is genuine.
This is an established and well known method of attack used by organised criminal groups. Lloyds have been alerting Commercial and Personal customers to this type of fraud for some time, but this is the first time we’ve detected this type of campaign specifically targeting the education sector.
Advice for Schools
Ensure that all staff involved in making or authorising payments are aware of the following guidance:
Take care if being asked to divulge confidential or personal information over the phone, text or email even if the request seems genuine and regardless of what information the requestor describes
Verify the identity of the person/entity contacting you. Contact the company on a number obtained from a trusted and verified source e.g. public records, website
Your Bank will never ask for your online login or 2-factor authentication code details over the phone and will never ask you to move money to a ‘safe’ or ‘secure’ account
Consider setting up dual authorisation for online banking payments if not already in place
Schools are clearly not exempt from the scope of such attempted fraud, so developing a greater awareness amongst staff will help negate this risk. Don’t assume emails/phone calls are authentic and ensure that the necessary checks are completed as a matter of due process.